AD-A037  233 


CORNELL  UNIV  ITHACA  N Y SCHOOL  OF  OPERATIONS  RESEARC— ETC  F/6  9/2 
OPTIMAL  POLICY  FOR  DATABASE  BATCH  OPERATIONS:  BACKUP,  CHECKPOIN— ETC(U) 
SEP  76  J A MUCKSTADT,  6 M LOHMAN  N00014-75-C-1172 


1 °F  1 

A&37S33 

■ 

F— 

ii.  -■ 

, 



| 

END 

DATE 

FILMED 

4-77 

]?!  P9C 

i y L -j 

Jr  I i 


COPY  AVAILABLE 
PERMIT  FULLY  I 


OPERATIONS  RESEARCH 


DEPARTMENT 


COLLEGE  OF  ENGINEERING 
CORNELL  UNIVERSITY 

ITHACA,  NEW  YORK  14853 


SCHOOL  OF  OPERATIONS  RESEARCH 
AND  INDUSTRIAL  ENGINEERING 
COLLEGE  OF  ENGINEERING 
CORNELL  UNIVERSITY 
ITHACA,  NEW  YORK 


TECHNICAL  REPORT  NO.  312 


September  1976 


OPTIMAL  POLICY  FOR  DATABASE  BATCH  OPERATIONS 
BACKUP,  CHECKPOINTING,  AND  BATCH  UPDATE 


John  A.  Muckstadt 
Guy  M . Lohman 


This  research  was  supported  in  part  by  the  Office  of  Naval  Research 
under  contract  N00014-75-C-1172,  Task  NR  042-335. 


SUMMARY 


The  purpose  of  this  paper  is  to  present  a general  model  for  determining 
the  optimal  frequency  of  batch  operations.  Specifically,  optimal  backup, 
checkpointing,  and  batch  updating  policies  are  derived.  Our  approach  exploits 
inventory  parallels,  by  seeking  the  optimal  number  of  items — rather  than  a 
time  interval — to  trigger  a batch.  The  Renewal  Reward  Theorem  is  used  to 
find  the  average  long  run  costs  for  backup,  recovery,  and  item  storage,  per 
unit  time,  which  is  then  minimized  to  find  the  optimal  backup  policy.  This 
approach  allows  us  to  make  far  less  restrictive  assumptions  about  the  update 
arrival  process  than  did  previous  models,  as  well  as  to  include  storage 
costs  for  the  updates.  The  optimal  checkpointing  and  batch  updating  policies 
are  shown  to  be  special  cases  of  this  optimal  backup  policy.  The  derivation 
of  previous  results  as  special  cases  of  this  model,  and  an  example,  demonstrate 
the  generality  of  the  methodology  we  develop. 


i 


0.  Introduction. 


1 


i 


f 


‘ : 


mm 


A common  decision  database  managers  must  make  is  how  often  to  perform 
a batch  operation,  in  order  to  balance  its  fixed  costs  against  the  variable 
costs  of  accumulating  items  for  the  next  batch.  Three  variations  of  this 
decision  are  the  familiar  problems  of  how  often  to  perform: 

(1)  a backup  of  a file  in  secondary  storage,  to  preserve  any  real-time 
updating  progress  to  date  on  a backup  copy  of  the  file  for  the  eventuality  of 
a file  loss; 

(2)  a checkpoint  save  of  main  memory,  to  preserve  progress  of  a long 
job  for  the  eventuality  of  a loss  of  main  memory;  and 

(3)  a batch  update  or  reorganization  of  a file  to  make  it  current 
and/or  more  compact;. 

In  each  problem,  more  frequent  batch  operations  decrease  the  variable  costs 
associated  with  item  accumulation,  but  themselves  consume  system  time  and 
resources.  Conversely,  batch  operations  performed  less  frequently  incur  the 
fixed  costs  less  often,  but  a larger  and  more  costly  inventory  of  items 

accumulates  in  the  interims  between  batrfh  operations. 

I 

Previous  analyses  of  batching  policies  have  usually  considered  individ- 
ually  either  problem  (1)  [1,3]  or  problem  (2)  [11],  although  Sayani  has 
linked  the  two  problems  with  a somewhat  generalized  model  [10].  All  of  these 
authors  have  sought  an  optimal  time  interval  between  batch  operations,  and  all 
have  found  equivalent  "square  root  laws"  for  this  interval  [6].  The  objective 
is  always  to  minimize  the  cost  of  backup  and  recovery  (or  saves  and  reprocessing, 
in  problem  (2)),  in  terms  of  the  processing  time  or  proportion  of  this  time 
lost;  equivalently,  system  availability  may  be  maximized.  Costs  are  calculated 
for  one  cycle  of  a regenerating  process.  This  cycle  may  be  either  one  con- 
trollable batch  cycle  [1,3]  or  one  uncontrollable  inter-failure  period  [10,11], 

Items  are  always  assumed  to  arrive  at  a constant  rate,  i.e.  constant  inter- 
arrival times.  For  problem  (2)  this  assumption  is  seen  later  to  be  realistic;  for 

1 


2 


problem  (1)  it  is  not.  Failures  are  assumed  to  occur  either  at  a constant 
rate  [3],  or  as  a Poisson  process,  i.e.  exponentially  distributed  inter- 
failure times  [1,10,11].  When  exponential  inter-failure  times  are  assumed, 
either  the  Poisson  axioms  are  appealed  to  [1]  or  else  the  resulting  exponen- 
tial terms  in  the  expected  cost  must  be  approximated  by  a truncated  Taylor 
series  to  obtain  a closed-form  solution.  Usually  by  assuming  that  losses 
are  incurred  in  negligible  time,  item  and  failure  arrivals  are  prohibited 
during  backup  and  recovery  (saves  and  reprocessing).  A relaxation  of  this 
assumption  is  shown  by  Chandy  et_  al.  to  preclude  a closed-form  solution  for 
the  optimal  interval  between  batches. 

In  this  paper,  we  describe  a generalized  model  of  problem  (1).  Inventory 
theory  analogies  and  renewal  theorems  enable  a more  precise  and  general 
analysis.  An  optimal  backup  policy  is  found  via  classical  optimization  tech- 
niques. Then  we  show,  that  previous  models,  and  problems  (2)  and  (3),  are 
special  cases  of  the  model  we  develop.  A realistic  example  is  presented  to 
confirm  the  significance  of  our  generalizations.  Finally,  extensions  and 
practical  considerations  are  discussed. 

1.  The  Optimal  Backup  Policy. 

1.1  The  Problem — A Brief  Tutorial 

In  spite  of  improved  hardware  and  software  reliability,  it  is  inevitable 
that  major  failures  of  a database  system  will  erroneously  alter,  destroy, 
and/or  leave  inconsistent  the  online  files  of  a database.  Backup  copies  of 
files  must  be  retained  to  recover  from  these  file  losses,  the  only  failures 
of  concern  in  problem  (1).  Since  the  primary  oopy  of  a file  is  updated  in 
real  time,  backup  copies  must  be  revised  periodically,  usually  by  copying  the 


3 


primary  copy  en  masse  to  the  backup  copy.  This  revision  of  a redundant  copy 
is  called  a backup,  or  dumping.  An  After-image  Log  retains,  in  chronological 
order,  images — called  after-images — of  all  records  updated  between  backups. 

In  the  event  of  a failure,  the  latest  backup  is  first  reloaded  to  the  location 
of  the  destroyed  primary  copy.  This  restored  but  outdated  copy  is  then 
brought  up-to-date  by  restoring — from  the  After-image  Log — the  images  of  all 
records  updated  since  the  backup  was  made.  The  latter  process,  called  roll 
forward,  must  be  done  record-by-record.  It  therefore  can  be  very  time-consuming, 
depending  upon  how  many  updates  have  been  completed  since  the  last  backup. 

Updates  to  the  file  must  be  prohibited  during  both  backup  and  recovery.  Fre- 
quent backups  shorten  any  necessary  roll  forward,  but  themselves  consume 
time  and  resources  [ 6, 0,12]. 

1.2  The  Approach. 

The  model  developed  in  this  section  for  the  generalized  backup  policy 
problem  is  similar  to  certain  continuous  review  inventory  models  described 
in  reference  4.  This  similarity  has  also  been  observed  by  Sayani  [10]  and 
Chandy  et  al . [1].  Furthermore,  as  pointed  out  earlier,  the  optimal  time 
between  batch  operations  was  found  by  all  earlier  models  to  follow  a square 
root  law  similar  to  the  well  known  "square  root  formula"  from  inventory  theory. 
Establishing  a fixed  time  between  backup  operations  in  continuous  review  sys- 
tems, however,  requires  stringent  assumptions  concerning  the  arrival  process 
for  update  transactions.  If  the  time  between  arrivals  of  updates  is  described 
by  a random  variable,  the  backup  cycle  length — the  time  between  completing 
backup  operations — is  not  constant.  Hence  in  the  continuous  review  case 
there  is  no  "optimal  backup  interval."  Instead  of  attempting  to  find  the 
cycle  length,  another  way  of  viewing  the  problem  suggested  by  the  continuous 


review  inventory  theory  parallel  is  to  find  the  optimal  number  of  updates  to 
accumulate  between  commencing  backup  operations.  This  is  the  approach  we 
have  taken,  because  it  permits  a more  thorough  analysis  requiring  fewer  assump- 
tions to  be  made  than  required  by  previous  authors. 

Our  analysis  also  depends  heavily  on  some  important  results  from  re- 
newal theory,  specifically  the  Renewal  Reward  Theorem.  Roughly  speaking, 
this  theorem  states  that,  under  certain  mild  restrictions,  the  long  run 
average  cost  per  unit  time  is  equal  to  the  expected  cost  incurred  per 
cycle  divided  by  the  expected  cycle  length  [9].  Thus  finding  the  policy  that 
minimizes  this  ratio  yields  the  optimal  policy  for  the  problem. 

By  combining  the  renewal  theory  and  inventory  theory  concepts,  we  obtain 
a simple  method  for  computing  the  optimal  policy.  Furthermore,  as  we  shall 
see  later,  it  was  no  coincidence  that  the  previous  work  resulted  in  the 
square  root  formula,  because  the  results  are  a consequence  of  the  Renewal 
Reward  Theorem. 

1 . 3 Formulat ion . 

Before  developing  the  details  of  the  model,  it  is  helpful  to  specify  some 
nomenclature  and  assumptions.  The  decision  variable  of  the  model  is  n,  the 
number  of  update  transactions  per  backup  cycle.  The  file  has  certain 
fixed  parameters  that  affect  the  costs  and  time  of  each  cycle.  Let 

b represent  the  cost  I'  incurred  to  accomplish  a backup; 
r represent  the  cost1  to  reload  the  file  following  a failure; 
a represent  the  cost^"  to  restore  one  record's  after-image  during 
roll  forward; 

h-Iote  that  these  costs  should  include  the  opportunity  cost  of  the  users'  time, 
as  well  as  hardware  costs,  since  the  users  are  unable  to  make  updates  during 
backup  and  recovery  [6].  See  assumption  (4)  below. 


5 


s represent  the  cost  to  store  one  after-image  per  unit  time; 

3 represent  the  time  required  to  perform  a file  backup  operations 
p represent  the  time  required  to  reload  the  file  following  a failure; 
a represent  the  time  required  to  restore  one  record's  after-image 
during  roll  forward. 

Let  j index  the  backup  cycles  (j  = 1,2,3,...),  and  i index  update 
transaction  arrivals  within  a given  cycle  (i=l,2, . . . ,n) . Then  define  the 
random  variables 

N ( t ) , the  number  of  update  transactions  at  time  t that  have 

accumulated  since  the  previous  backup -operation  (K't)  = 0,1,.. 
, the  time  between  the  (i-1)—  and  i—  transaction  arrival  in 
backup  cycle  j • 

Yj , the  length  of  backup  cycle  j , including  backup  and  recovery 
times. 

Figure  1 displays  a graph  of  N(t)  through  two  backup  cycles,  given  that 
n = 5.  The  graph  also  displays  the  effect  of  one  failure  on  the  length  of 
a cycle,  as  well  as  the  associated  costs.  Each  U denotes  another  arrival 
of  an  update  transaction. 

The  model  is  based  upon  the  following  set  of  assumptions.  These  assump- 
tions, although  numerous,  are  quite  reasonable  in  practice.  Furthermore, 
they  are  considerably  less  restrictive  than  those  made  in  all  previous  models 
(1)  The  random  variables  and  X^  are  mutually  independent  for 

i ^ l and  j t h.  Futhermore,  X^.  and  X^  are  identically  distributed 

13  n1  n 

for  each  i and  j i h.  Consequently,  \ X..  and  \ X..  are  indepen- 

i=l  13  i=l  1 

dent  and  identically  distributed  random  variables  for  all  j t h.  Since  the 
inter-arrival  time  distributions  are  the  same  in  each  cycle,  there  is  no 


7 


need  to  distinguish  one  cycle  from  another,  and  the  cycle  subscript,  j,  on 
X^  can  be  dropped. 

(2)  Failures  occur  according  to  a homogeneous  Poisson  process  having 
rate  X . 

(3)  The  arrival  and  failure  processes  are  mutually  independent  random 
variables. 

(4)  Neither  updates  nor  failures  arrive  during  the  time  a backup 
takes  place  (6)  or  a recovery  occurs  (p  + a*N(t)). 

(5)  The  system  is  assumed  to  operate  over  an  infinite  period  of  time. 

(6)  The  time  for  processing  update  transactions  when  they  first  arrive 
is  negligible  compared  to  the  I/O-bound  times  B,  p,  and  a.  The  cost  of 
such  processing  is  constant  with  respect  to  the  choice  of  n,  and  hence  may 
be  ignored. 

(7)  The  distribution  of  an  update  inter-arrival  period  is  un- 

affected by  a recovery  period  that  may  split  X.^  (see,  for  example,  X^ 

in  Figure  1).  When  the  are  exponentially  distributed,  this  assumption 

is  unnecessary. 

(8)  Each  update  transaction  makes  only  one  update  to  the  file. 

(Although  this  assumption  is  assumed  by  all  earlier  models,  and  can  be 
reasonably  justified,  omitting  it  does  not  alter  the  approach  we  have  taken 
for  finding  the  optimal  solution.) 

Combining  assumptions  (1)  through  (5)  above,  we  see  that  the  are 

a sequence  of  independent  and  identically  distributed  random  variables.  Hence 
the  Y.  form  a renewal  process  to  which  the  Renewal  Reward  Theorem  may  be 
applied,  and  the  identical  probabilistic  characteristics  of  each  backup  cycle 
allow  us  to  consider  a typical  cycle  without  the  cycle  index  j.  Since  all 


r 


8 

cycles  are  alike  from  a probabilistic  viewpoint,  we  need  only  consider  a 
typical  one.  Thus  for  our  analysis  of  this  typical  cycle,  we  will  only  need 
the  random  variables 

XjL,  the  time  between  the  (i-1)—  and  i—  transaction  arrival; 
n 

T = £ X.,  the  length  cf  time  in  the  cycle  due  to  update  transaction 

• « 1 

1 = 1 

inter-arrival  times; 

K^,  the  number  of  failures  occurring  during  X^; 

M,  the  number  of  failures  occurring  during  T; 

R,  the  length  of  time  spent  on  recovery  in  the  cycle; 

and  the  expected  values  that  are  a function  of  n, 
c(n),  the  expected  cost  of  the  cycle; 
x(n),  the  expected  length  of  the  cycle. 

The  objective  is  to  select  the  value  of  n that  minimizes  the  expected 
long  run  average  cost  per  unit  time.  The  costs  considered  are  the  backup, 
recovery,  and  after-image  storage  costs.  Assuming  the  expected  cost  and 
expected  length  of  each  cycle  are  finite,  the  Renewal  Reward  Theorem  states 
that  the  expected  long  run  average  cost  per  unit  time  of  the  renewal  process 
Yj  ( j=l,2,3, . . . ) is,  with  probability  1,  equal  to  c(n)/x(n).  Thus  if  we 
compute  both  c(n)  and  x(n),  we  can  find  the  optimal  value  of  n. 

1.4  Analysis. 

We  begin  by  computing  the  expected  cycle  length,  x(n).  As  seen  in 
Figure  1, 

x(n)  = expected  length  of  time  due  to  update  inter-arrival  times 
plus  the  expected  time  to  perform  one  backup 
plus  the  expected  recovery  time  per  cycle 


9 


T 


= E { l X.}  + e + E{R|n} 

i=l  1 

= E{T|n}  + 3 + E{R|n}. 


However,  we  may  express  the  expected  recovery  time  as 


E{R|n}  = l E{R|M=m;n}P{H=m|n}. 
m=0 


Additionally,  we  know  from  assumptions  (1),  (2),  and  (3)  that 


00  , . -.m 

P{M=m | n}  = \ ■■■  dGT(t), 


where  G,j,(t)  represents  the  cumulative  distribution  function  for  T.  But 


E{R|M  = m;n}  = mp  + ct(0'E{K.jM=m;n}  + l-E{K2|M=m;n}  + ... 

...  + (n-l)-E{KjM=m;n}). 

Since  the  failure  process  is  a homogeneous  Poisson  process,  the  time  at  which 

a particular  failure  will  occur  is  uniformly  distributed  over  a backup  cycle — 

excluding  the  "dead  time"  portion  of  the  cycle  due  to  backup  and  recovery.  Then 

this  implies  that  the  probability  that  N(t)  = i - 1 when  a failure  occurs  is 

E{X^}/£{T|n},  where  i = l,...,n.  These  results  can  be  rigorously  proven  by 

first  recognizing  that  the  K^,...Kn  are  jointly  multinomially  distributed, 

n 

with  parameters  m,p  , ...,p  , given  that  ][  K.  = m.  Furthermore,  Ross  [9] 

i=l  1 

shows  that  p^  = E{X^}/E{T|n},  assuming  E{X^}  < “.  Consequently  E{K^|M=m;n}  = 
m*E{X^}/E{T|n}. 


10 


Therefore , 
E{R|n} 


{p  + o^  (i-l)E{X  }/  E{T|n})  l m f 

1 i=l  ' m=0  0 


® 00  , ,m  -At 


( At ) e 


J dG  (t) 

m!  1 


11  w 00 

= (p  + a l (i-1)  E{X.  }/  E{ T | n } } J £ 

X i=l  1 '0  m=C 


m- 


(At)  e 


m -At 


m: 


dG_(t ) 


n N a> 

(p  + a l (i-1)  E{X. }/  E{T|n}  } A ft  dGT(t) 
X i=l  1 ' 0 1 


, U v 

= ' P + a l (i-1)  E{X . )/  E{T|n}'.  A E{T|n>. 
i=l  1 


The  operations  of  integration  and  summation  may  be  interchanged  since  the 
integral  is  over  a product  of  two  functions,  each  continuous  in  t and  bounded 
uniformly  by  1.  Observe  that  E{R|n}  does  not  depend  on  the  form  of  the 
distribution  function  G^,(t),  but  only  on  the  mean  of  the  distribution!  Con- 
sequently t(n)  also  depends  only  on  E{T|n}  and  not  on  G,p(t).  The 
importance  of  this  observation  is  that  the  X^  can  have  any  distribution  and 
can  be  dependent  on  the  length  of  any  other  inter-update  interval  X^  in  the 
same  cycle. 

Similarly,  we  may  show  that 

c(n)  = E{storage  cost  per  cycle|n}  + b + Etrecovery  cost  per  cycle|n}. 

where 

n 

E{ storage  cost  per  cycle |n}  = £ s(i-l)E{X.},  and 

i=l  1 

n 

Etrecovery  cost  per  cycle|n)  - j r + a T (i-l)E{X.}/E{T|n)  ■ A E{T|n}. 

' i=l  1 

These  results  also  depend  only  on  E(T|n)  and  not  on  the  form  of  G^,(t). 

Combining  the  above  results,  we  may  write  the  ratio  c(n)/x(n)  for  any 


r 


U 

given  distribution  of  the  X^,  i=l,...,n.  The  value  of  n that  minimizes 
c(n)/x(n),  call  it  n,  is  the  optimal  number  of  update  transactions  between 
the  beginning  of  successive  backup  operations. 

An  exact,  closed-form  solution  for  n can  be  obtained  if  we  assume  that 
the  means  of  the  are  identical;  that  is,  E{X^}  = 1/y  for  i = l,...,n. 

In  this  case,  E{T|n}  = n/u,  so  that 

E{R|n}  = (p  + a — ) -p-,  and 

x(n)  = (n  + pXn  + X (n2-n)j  + 6. 

Also, 

2 

c(n)  = ^ ( S -^2  + (r  + ^<n-l))n  X^  + b. 

x(n)  gives  the  expected  long  run  cost  per  unit  time. 

(s+aX)n2  + (2rX-s-aX)n  + 2pb 

2 ‘ * 

oXn  + (2pX+2-;aX)n  + 2pg 

V/e  find  the  optimal  value  o-f  n by  temporarily  assuming  that  n is  a 
continuous  variable.  First  take  the  derivative  of  the  ratio  c(n)/x(n)  with 
respect  to  n.  This  yields 

Hn  xTnT  = 2 r2  + <2P*  + 2 - oX)n  + 2 pg]  • 

[2n(s  + aX)  + (2rX  - s - aX)] 

-[2naX  + ( 2pX  + 2 - aX)]  • 

[(s  + aX)n2  + (2rX  - s - aX)n  + 2pb]} 


Then  dividing  c(n)  by 
Specifically, 

c(n)  . 
x(n) 


Setting  this  derivative  equal  to  zero,  we  see  that  n satisfies 


12 


xn  + (2yy)n  + uz  = 0,  or 


C “ 1 I / 2 2 \ 

n = — I -uy  + / u y - yxz  , X i 0,  where 
2 2 

< x = Xps  + s + aX  p + aX  - aX  r. 


y = Bs  + aBX  - abX,  and 
z = 2(3Xr  - 2bXp  - 2b  - y. 


If  x < 0,  the  positive  root  is  the  unique  minimizing  value  of  n,  since  the 
~2 

concave  parabola  xn  + (2uy)n  + viz  has  a positive  slope  at  the  smaller  value 
of  n.  When  x > 0,  which  is  more  likely  since  a/a  will  most  likely  be 
roughly  equal  to  r/p , the  positive  root  clearly  yields  the  unique  mini- 
mizing value  of  n.  If  n is  not  an  integer,  compute  .c(n)/t(n)  for 
n = [n]  and  n = [n]  + 1,  where  [n]  represents  the  greatest  integer  less  than 

or  equal  to  n.  The  value  of  n that  yields  the  smaller  value  for  the  ratio 

is  the  optimal  integral  value  of  n. 

1.5  A Special  Case. 

A special  case  of  the  above  model  occurs  when  s = 8 = p = a = 0 (or, 

g ^ p 

equivalently,  when  — = = — and  s = 0).  In  this  situation  we  are  assuming 

that  backup  and  recovery  times  are  zero  and  storage  costs  are  insignificant. 

In  essence,  this  is  the  problem  studied  by  Chandy  et  al . , Drake  6 Smith, 

Sayani,  and  Young.  For  this  case,  x = aX,  y = 0,  and  z = -2b.  Letting  nQ 

represent  the  optimal  solution,  equations  (1)  yield 


nQ  = / 2bp  / aX. 


Since  the  expected  time  between  update  transactions  is  1/p,  the  expected 


.'•M 

K 


length  of  a backup  interval  under  this  optimal  policy  is 
(2)  nQ-i  a ✓ 2b/aXu  . 

This  is  the  result  obtained  by  all  previous  authors  [6].r 

1.6  An  Example . 

To  illustrate  the  significance  of  our  more  generalized  model,  consider 

a hypothetical  but  realistic  example.  Assume  that  the  primary  copy  of  a file 

is  stored  on  an  IBM  3330  disk,  and  that  the  logs  are  maintained  on  online 

tape.  Suppose  further  that  (5  = p = 1 hour  = 3600  seconds,  b = r = $1000, 

_g 

s = $3.2*10  /update-second  (500  byte  records  Q 20d/Kbyte-year,  for  online 
tape  [7]),  a = $0. 01/update,  a = .0467  second/update  [5],  y = 2/second, 
and  A = 4 •10"^/second  (approximately  one  loss  of  the  file  per  month).  Then 
x = 2.1609.10  8,  y = 7.24*10  6,  and  z = -2000,  so  that  n % 743190,  or 
about  once  every  4.3  days,  for  an  expected  unit  cost  of  $0. 00567/second.  The 
earlier  models,  which  ignore  storage  costs  and  significant  times  to  perform 
backup  and  recovery,  calculate  nQ  = one  million,  or  about  once  every  5.79 
days.  Sayani's  model,  which  allows  significant  backup  time,  derives  a backup 
interval  of  5.75  days  for  this  example.  The  difference  of  over  one  day  in 
these  backup  intervals  is  primarily  due  to  update  storage  costs,  even  though 
s appears  to  be  an  insignificant  price. 

2.  The  Optimal  Checkpoint  Policy. 

Accidental  loss  of  the  contents  of  main  memory,  and  especially  the 
all-important  registers,  is  even  more  common  than  file  losses.  Even  an 
interruption  of  processing  due  to  a power  failure  or  the  system  "hanging  up" 


'The  results  originally  published  by  Drake  and  Smith  were  in  error.  By 
correcting  that  error  their  result  coincides  with  expression  (2). 


■MtilNMfl 


14 


Mt 


Ik 


p 


l i - 


>.  ■ 

n 

< * 


can  cause  the  loss  of  the  registers'  contents.  This  type  of  failure  is 
called  a minor  failure,  because  less  recovery  effort  is  required  than  for 
a file  loss.  Any  job  currently  being  processed  when  a minor  failure  occurs 
must  be  reprocessed  from  the  last  checkpoint:  either  the  beginning  of  the 

job  or  a pause  in  processing  to  save  partial  results  on  secondary  storage. 

In  a multiprocessing  system,  the  pause  is  usually  coordinated  among  the 
processes  currently  active,  and  a complete  copy  of  main  memory  is  saved.  The 
frequency  of  checkpoints  in  a single  process  or  the  system  as  a whole  must 
be  determined,  to  balance  the  costs  of  saves  and  reprocessing  [8]. 

The  problem  of  determining  the  optimal  number  of  instructions  to  process 
between  checkpoints,  n',  is  a special  case  of  the  problem  solved  in  the 
previous  section,  as  can  be  seen  by  replacing  its  parameters  with  the  following 
analogous  parameters  for  checkpoints.  The  items  accumulated  in  the  checkpoint 
problem  are  instructions  in  the  jobs  that  have  been  processed  since  the  last 
checkpoint  at  the  constant  rate  p' /second.  The  batch  operation  is  a save  — 
either  of  selected  intermediate  results  of  the  jobs  or  all  of  main  memory  — 
costing  b'  and  requiring  time  g' . Minor  failures  occur  at  a rate  of  X'. 
Recovery  from  a minor  failure  requires  (1)  the  reloading  of  the  latest  save, 
costing  r'  and  requiring  time  p',  and  (2)  reprocessing  the  instructions. 

of  all  affected  jobs  completed  since  the  last  checkpoint,  each  instruction 
requiring  time  a'  = 1/p'  and  cost  a'.  Storage  costs  have  no  meaning  here 
because  instructions  are  stored  both  before  and  after  processing  regardless 
of  the  choice  of  n.  Therefore  set  s = 0.  Finally,  since  costs  here  are 

directly  proportional  to  time  (i.e.  machine  cycles)  lost,  a'/o'  = b'/6'  = 

2 1 

r'/p'  = 1.  Thus  in  equations  (1),  x = p'(a')  X , y = 0,  and  z = -2b'.  The 


optimal  number  of  instructions  to  execute  between  checkpoints  is  therefore 


15 


n'  = (a’)'1  /2bVV  , 
or  an  expected  inter-checkpoint  interval  of  length 

n'a'  = /2b' /X'  , 

as  found  by  Young  [11].  As  before,  [n']  and  [n']+l  should  be  tried  in  the 
objective  function  to  find  the  optimal  integral  solution. 

3 . The  Optimal  Batch  Size  Policy. 

When  batching  updates  for  a scheduled  maintenance,  the  optimal  batch  size, 
n*,  of  updates  must  be  determined,  in  order  to  balance  the  fixed  costs  for 
a complete  pass  of  the  file  against  the  costs  of  storing  and  delaying  incor- 
poration of  those  updates  into  the  file  [2,7].  The  basic  model  may  again  be 
applied  to  this  problem.  Replace  the  update  storage  cost,  s,  with  a parameter 
s"  that  combines  the  storage  cost  and  a batching  delay  penalty  for  each  update, 
per  unit  time.  Like  a backup,  a scheduled  maintenance  requires  a complete, 
sequential  pass  of  the  file,  costing  b"  and  taking  time  3".  Since  file 
recovery  costs  are  not  affected  by  the  frequency  of  scheduled  maintenances  in 
batch  systems,  set  X = 0.  Assuming  as  before  that  the  expected  update 
interarrival  times  are  all  equal  to  l/p",  equations  (1)  yield  x = s",y  = B"s", 
z = -2b"-  B"s",  and 


n*  = -(B'V)  + nB"u")2  + B'V  + — 


The  same  strategy  may  be  used  to  find  the  optimal  integral  solution.  Note 
that  when  delay  and  storage  costs  are  insignificant  (s"  -*•  0),  large  batches 
are  permissible  (n*  ■»  ®);  when  delay  and  storage  costs  are  prohibitive 
(s"  -*■  «)  and/or  maintenance  costs  are  low  (b"  -*•  0),  real-time  updating 


16 


T 


4 » 


f* 

t- 

t 

8 


t 


(n"=l)  is  encouraged  (since  lim  n“  1 for  all  B'V  > 0). 

s-*°° 

4.  Practical  Considerations  and  Extensions. 

The  workload  of  a typical  computer  system  is  seldom  constant . The  opera- 
tions staff  will  normally  use  long-term  batch  operations  such  as  backup  and 
scheduled  maintenances  to  level  the  system  load  during  periods  of  light 
activity,  such  as  the  late  night  hours.  Thus,  in  practice,  the  above  optimal 

A JL 

solutions  n and  n are  used  only  as  guidelines  to  pick  among  nights,  say, 
that  a particular  file  should  have  a backup  or  maintenance  done.  Using 
the  expected  interval  between  these  operations,  it  is  clearly  advantageous  to 
schedule  them  so  that  the  effort  is  spread  among  the  inactive  periods  as 
evenly  as  possible  to  avoid  "bottleneck  nights".  It  is  possible  to  formulate 
rigorously  a model  that  simultaneously  determines  the  values  for  n and  n‘ 
for  all  files.  This  model  would  be  formulated  so  that  the  possibility  of  a 
bottleneck  occuring  would  be  arbitrarily  small.  Similar  practical  considera- 
tions apply  to  choosing  checkpoints. 

In  section  1.3  we  assumed  (in  assumption  (8))  that  a single  update  occurs 
per  transaction.  When  we  relax  this  assumption,  the  process  N(t)  can  make 
jumps  of  size  greater  than  1.  The  length  of  time  to  process  updates  must 
still  be  assumed  to  be  small  compared  to  the  times  between  transaction  updates. 
Assume  the  have  a common  mean  1/v  for  i = 1,2, . . . ,£,£  ^ n,  and  the 

number  of  updates  generated  by  any  transaction  is  independent  of  those  generated 
by  all  other  transactions.  Then  the  probability  of  N(t)  being  in  any  state 
o(o  = 0,1,..., n)  in  the  embedded  Markov  Chain  can  be  written  as  weighted 
sums  of  the  probabilities  of  u updates  per  transaction,  u = 1,2,...  . 

The  approach  described  in  section  1 is  then  directly  applicable  by  using  these 
probabilities  rather  than  the  E{X^}/E{T|n} . 


J3 


J 


17 

5.  Conclusion. 

This  paper  has  presented  a general  model  for  determining  the  optimal 
frequency  of  batch  operations.  Specifically,  optimal  backup,  checkpointing, 
and  batch  updating  policies  have  been  derived.  Our  approach  has  exploited 
inventory  parallels,  by  seeking  the  optimal  number  of  items — rather  than  a 
time  interval — to  trigger  a batch.  The  Renewal  Reward  Theorem  was  used  to 

find  the  average  long  run  costs  for  backup,  recovery,  and  item  storage,  per 

unit  time,  which  was  then  minimized  to  find  the  optimal  backup  policy.  This 

approach  allowed  us  to  make  far  less  restrictive  assumptions  about  the  up- 
date arrival  process  than  did  previous  models,  as  well  as  to  include  storage 
costs  for  the  updates.  The  optimal  checkpointing  and  batch  updating  policies 
were  shown  to  be  special  cases  of  this  optimal  backup  policy.  The  deriva- 
tion of  previous  results  as  special  cases  of  this  model,  and  an  example,  have 
demonstrated  the  generality  of  the  methodology  we  have  developed. 


18 


Bibliography 


1.  Chandy,  K.M.,  Browne,  J.C.,  Dissly,  C.W.,  and  Uhrig,  W.R.  Analytic 

models  for  rollback  and  recovery  strategies  in  data  base  systems. 

IEEE  Transaction  on  Software  Engineering  SE-1,  1 (March  1975), 

pp.  100-110. 

2.  Davis,  G.B.  Management  Information  Systems:  Conceptual  Foundations, 

Structure,  and  Development,  McGraw-Hill,  New  York,  1974 

3.  Drake,  R.W.  and  Smith,  J.L.  Some  techniques  for  file  recovery, 

Australian  Computer  J.  3,4  (Nov.  1971),  pp.  162-170. 

4.  Hadley,  G.  and  Whitin,  T.  Analysis  of  Inventory  Systems,  Prentice-Hall 

Englewood  Cliffs,  NJ,  1963. 

5.  IBM  Corporation,  Intro,  to  IBM  Direct-Access  Storage  Devices  and 

Organization  Methods,  Student  Text  ($GC20-1649-8) , IBM  Corp . , 

White  Plains,  NY,  Feb.  1974. 

6.  Lohman,  G.M.  Optimal  data  storage  and  organization  in  computerized  infor- 

mation processing  systems  subject  to  failures.  Unpublished  Ph.D. 
thesis.  School  of  Opns.  Res.  and  Ind.  Engr.,  Cornell  Univ.,  Ithaca, 

NY,  Jan.  1977. 

7.  Mader,  C.  and  Hagin,  R.  Information  Systems:  Technology,  Economics, 

Applications,  Science  Research  Associates,  Chicago],  1974. 

8.  Martin,  J.  Security,  Accuracy,  and  Privacy  in  Computer  Systems,  Prentice- 

Hall,  Englewood  Cliffs,  NJ,  1973,  pp.  249-264. 

9.  Ross,  S.M.  Applied  Probability  Models  with  Optimization  Applications, 

Holden-Day,  San  Francisco,  1970,  pp.  85-118. 

10.  Sayani,  H.H.  A decision  model  for  restart  and  recovery  from  errors  in 

information  processing  systems.  Unpublished  Ph.D.  thesis.  Industrial 
Engr.  Dept.,  Univ.  of  Mich.,  1973. 

11.  Young,  J.W.  A first  order  approximation  to  the  optimum  checkpoint 

interval.  Comm . ACM  17 , 9 (Sept.  1974),  pp.  530-531. 

12.  Yourdon,  E.  Design  of  On-Line  Computer  Systems,  Prentice-Hall,  Englewood 

Cliffs,  NJ,  1972,  pp.  340-353,  515-542. 


Technical  Report  No.  31: 


OPTIMAL, POLICY  FOR  DATABASE^BATCH  OPERATIONS 
BACKUP,  CHECKPOINTING,  AND  BATCH  UPDATE  » 


John  A./Muckstadt 
Guy  M/Lohman 


r'EhFORMING  ORGANIZATION  NAME  AND  ADDRESS 

School  of  Operations  Research  and 
Industrial  Engineering,  Cornell  Univ 
14853 


Office  of  Naval  Research  (code  436) 
Dept . of  Navy 

dPP&E  NAME  AND  ADDR 


15.  SECURITY  CLASS,  (ot  this  report) 

Unclassified 


CECL  »SSIf  ICATION/  DO*  N GRADING 
SCri  =.  CULE 


!6  DISTRIBUTION  STATEMENT  (ot  1/111  Report) 


Approved  for  public  release,  distribution  unlimited 


17.  DISTRIBUTION  STATEMENT  (cf  the  sbstrect  entered  In  DJock  20,  It  dlllsrsnt  from  Kepcrt) 


18.  SUPPL  EMENT  ARY  NOTES 


Also  supported  by  the  RAND  Coroporation  under  Project  RAND 


IS.  KEY  WORDS  (Corif'no*  on  reversp  si  iV  ll  n«c»**wy  .ynrl  Identity  by  block  number) 

Datebase  batch  operations,  checkpointing,  batch  update.  Renewal  Reward 
Theorem,  Inventory  Theory. 


AEj^HACT  (Continue  cn  (r*rrM  #ioi  It  n mtessery  tn d Identity  by  block  number) 

» The  purpose  of  this  paper  is  to  present  a general  model  for  determining 
the  optimal  frequency  of  batch  operations.  Specifically,  optimal  backup, 
checkpointin,  and  batch  updating  policies  are  derived.  Our  approach  exploits 
inventory  parallels,  by  seeking  the  optimal  number  of  items--rather  than  a 
time  interval--to  trigger  a batch.  The  Renewal  Reward  Theorem  is  used  to  find 
the  average  long  run  costs  for  backup,  recovery,  and  item  storage,  per  unit 
time,  which  is  then  minimized  to  find  the  optimal  backup  policy.  This  approach 


Uncla 


process  than  did  previous  models,  as  well  as  to  include  storage  costs  for  the 
updates.  The  optimal  checkpointing  and  batch  updating  policies  are  shown  to  be 
special  cases  of  this  optimal  backup  policy.  The  derivation  of  previous  results 
as  special  cases  of  this  model,  and  an  example,  demonstrate  the  generality  of 
the  methodology  we  develop. 


Unclassified 


